iDefense reported an integer overflow in the _cupsImageReadTIFF() function in the "imagetops" filter, leading to a heap-based buffer overflow (CVE-2009-0163).

Aaron Siegel of Apple Product Security reported that the CUPS web interface does not verify the content of the "Host" HTTP header properly (CVE-2009-0164).

Braden Thomas and Drew Yao of Apple Product Security reported that CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and poppler.

Impact

A remote attacker might send or entice a user to send a specially crafted print job to CUPS, possibly resulting in the execution of arbitrary code with the privileges of the configured CUPS user -- by default this is "lp", or a Denial of Service. Furthermore, the web interface could be used to conduct DNS rebinding attacks.